Re: policy change is needed to keep debian secure
I second this post.
Dan, Thank you for saying so clearly.
On Sat, 20 Aug 2005, Daniel Sterling wrote:
> Keeping Debian stable by not changing things is great.
> Except maybe its not so great when you're trying to maintain a complicated,
> buggy, high profile program that handles sensitive user data and untrusted input.
> Debian stable cannot stay stable without changing, sometimes drastically.
> Firefox in Debian stable cannot stay stable and secure by not changing.
> The latest upgrades to sarge's firefox have addressed (successfully?) several
> security vulnerabilities. I submit that the work done to create these new
> packages has been wasted effort, for at least two reasons.
> 1. Creating these packages duplicates work already done upstream. While you
> could argue that this is true for any security backport to a greater or lesser
> degree, in this case this point is important because:
> 2. The packages are buggy. (in subtle and creative ways, such as
> sometimes-broken middle clicking).
> In addition, the time between upstream's release and the DSA has not been
> minimal (one month!) (This is a whole issue in itself! Are Debian users supposed
> to subscribe to bugtraq etc to ensure their browser is secure?)
> We need to accept that we should not be wasting our valuable talent and time on
> backporting security fixes to complicated apps such as Firefox. I don't know
> which app that time should be spent on, but I know it sure ain't Firefox.
> Properly backporting the fixes and getting them into Debian will simply take too
> much time, if it is properly done at all. We would basically need to have our
> own Firefox developer, who, even though she understands how the code works and
> all the subtlety involved, has decided instead of fixing bugs and implementing
> features, she wants to keep security up to date on an obsolete code base.
> No one is going to do that. No one should be doing that.
> We need to figure out how to get the latest Firefox on the desktops of stable
> users. Something like volatile *may* be the answer. Perhaps keeping the latest
> secure version of Firefox in security, or experimental. Perhaps we need to
> completely revamp the way stable works. However, we CANNOT do nothing, or
> continue to believe we can maintain older versions of software as complex and
> intricate as Firefox. Because we can't maintain them.
> I submit that whoever wants 1.0.4 in sarge so bad they'll maintain it needs to
> step forward now, or forever hold their peace.
> I submit that the only feasible solution is to use the latest upstream in
> security updates. That means when 1.0.x is EOLed, if there are security issues
> still present, we remove Firefox from sarge (which is better than keeping an
> insecure version, and is what we are implicitly doing when we don't update it--
> reference Mozilla 1.0 in woody) or use the latest upstream version. I submit
> that this *is* the best way for Debian users, as they will get prompt, working
> security updates. I submit that if someone will have/has a problem with that,
> they almost certainly already have a working solution in place right now, as
> Debian's packages have been, from a security standpoint, unworkable for a month
> with Firefox, and possibly longer with Mozilla. Have we heard an argument from
> any real life users for keeping older, buggy, and possibly insecure versions of
> Firefox in Debian?
> In summary, Debian must package the latest upstream Firefox in stable to stay
> stable and secure, and doing so might require policy change. That policy change
> is needed.
> -- Dan
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org